Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-27 17:14:36 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'raja/panic_taint' into arraybolt3/trixie-raja-merge

Browse source
This commit is contained in:
Aaron Rainbolt 2025-12-14 14:05:36 -06:00
commit 005b66c265
No known key found for this signature in database
GPG key ID: A709160D73C79109
2 changed files with 28 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -242,6 +242,11 @@ Kernel space:
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial-of-service attacks and both cold and warm boot attacks.
- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
upon using out of specification hardware, bad page states, ACPI tables being overridden,
severe firmware bugs, in-kernel tests run, or mutating debug operations. It can also
include the loading of proprietary or out-of-tree modules.
- Prevent sensitive kernel information leaks in the console during boot.
- Enable the kernel Electric-Fence sampling-based memory safety error detector

23
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -163,6 +163,29 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
## Force the kernel to immediately panic if it becomes tainted.
## Using kernel documentation can select a subset of taints to create a security policy.
## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
## Some example combinations are shown below.
## S - Panic on using out of specification hardware: 4 = 0x4.
## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24.
## A - On the above and ACPI tables are overridden by users: 292 = 0x124.
## I - On the above and severe firmware bugs: 2340 = 0x924.
## N - On the above and in-kernel tests have been run: 264484 = 0x40924.
## J - On the above and userspace has used a mutating debug operation: 788772 = 0xC0924.
## G/P, O - On the above and the loading of proprietary or out-of-tree modules: 792869 = 0xC1925.
## All must first be tested to ensure there are no pre-existing issues on user hardware.
## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
##
## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
## https://github.com/Kicksecure/security-misc/pull/339
##
## Note that this must be used with panic=-1 for it to function as intended.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0924
## Prevent sensitive kernel information leaks in the console during boot.
## Must be used in combination with the kernel.printk sysctl.
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.